K000137053 : Overview of F5 vulnerabilities (October 2023)

2023-10-1000:00:00

my.f5.com

f5 vulnerabilities

october 2023

high cves

medium cves

security exposures

affected products

affected versions

fixes

engineering hotfix

technical support

8.1 High

AI Score

Confidence

Low

0.732 High

EPSS

Percentile

98.1%

JSON

Security Advisory Description

Note: F5 is committed to responding quickly to potential vulnerabilities in F5 products. As with all publicly known vulnerabilities, F5 is committed to publishing a response as soon as the vulnerability has been thoroughly investigated. In this case, an external researcher informed F5 that their findings would be made public on October 10. To reduce the impact on our customers, we made the decision to move the October 18 QSN to October 10 to mitigate the disruption caused by multiple disclosures.

On October 10, 2023, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles.

You can watch the October 2023 Quarterly Security Notification briefing by DevCentral in the following video:

High CVEs
Medium CVEs
Security Exposures

High CVEs

Article (CVE)	CVSS score	Affected products	Affected versions1	Fixes introduced in
K000135689: BIG-IP Configuration utility vulnerability CVE-2023-41373	8.8 - Standard deployment
9.9 - Appliance mode	BIG-IP (all modules)	17.1.0
16.1.0 - 16.1.4
15.1.0 - 15.1.10
14.1.0 - 14.1.5
13.1.0 - 13.1.5	17.1.0.3
16.1.4.1
15.1.10.2
14.1.5.6
K41072952: BIG-IP Appliance mode external monitor vulnerability CVE-2023-43746	8.7 - Appliance mode only	BIG-IP (all modules)	16.1.0 - 16.1.3
15.1.0 - 15.1.8
14.1.0 - 14.1.5
13.1.0 - 13.1.5	17.1.0
16.1.4
15.1.9
K29141800: Multi-blade VIPRION Configuration utility session cookie vulnerability CVE-2023-40537	8.1	BIG-IP (all modules)	16.1.0 - 16.1.3
15.1.0 - 15.1.8
14.1.0 - 14.1.5
13.1.0 - 13.1.5	17.1.0
16.1.4
15.1.9
K000136185: BIG-IP Edge Client for macOS vulnerability CVE-2023-43611	7.8	BIG-IP (APM)	17.1.0
16.1.0 - 16.1.4
15.1.0 - 15.1.10
14.1.0 - 14.1.5
13.1.0 - 13.1.5	None
APM Clients	7.2.3 - 7.2.4	7.2.4.4
K000133467: BIG-IP HTTP/2 vulnerability CVE-2023-40534	7.5	BIG-IP (all modules)	17.1.0 - 17.1.1
16.1.0 - 16.1.4	17.1.1.1
17.1.1 + Hotfix-BIGIP-17.1.1.0.2.6-ENG2
17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.23.4-ENG2
16.1.4.2
16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.13.5-ENG2
BIG-IP Next SPK	1.6.0 - 1.8.2	None
K000134652: BIG-IP TCP profile vulnerability CVE-2023-40542	7.5	BIG-IP (all modules)	16.1.0 - 16.1.3
15.1.0 - 15.1.8
14.1.0 - 14.1.5
13.1.0 - 13.1.5	17.1.0
16.1.4
15.1.9
K000132420: BIG-IP IPsec vulnerability CVE-2023-41085	7.5	BIG-IP (all modules)	16.1.0 - 16.1.3
15.1.0 - 15.1.8
14.1.0 - 14.1.5
13.1.0 - 13.1.5	17.1.0
16.1.4
15.1.9
K000135874: BIG-IP Next SPK SSH vulnerability CVE-2023-45226	7.4	BIG-IP Next SPK	1.5.0	1.6.0
K000135040: BIG-IP Edge Client for macOS vulnerability CVE-2023-5450	7.3	BIG-IP (APM)	17.1.0
16.1.0 - 16.1.4
15.1.0 - 15.1.10
14.1.0 - 14.1.5
13.1.0 - 13.1.5	None
APM Clients	7.2.3 - 7.2.4	7.2.4.5
K26910459: BIG-IP iControl REST vulnerability CVE-2023-42768	7.2	BIG-IP (all modules)	16.1.0 - 16.1.3
15.1.0 - 15.1.8
14.1.0 - 14.1.5
13.1.0 - 13.1.5	17.1.0
16.1.4
15.1.9

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

2F5 has fixed this issue in an engineering hotfix that is available for versions of the BIG-IP system which have not yet reached End of Software Development. Customers affected by this issue can download the engineering hotfix from the MyF5 Downloads page. For more information, refer to K000090258: Download F5 products from MyF5. While F5 endeavors to release the most stable code possible, engineering hotfixes do not undergo the extensive QA assessment of scheduled software releases. F5 offers engineering hotfixes with no warranty or guarantee of usability. For more information about the hotfix policy, refer to K4918: Overview of the F5 critical issue hotfix policy.

Medium CVEs

Article (CVE)	CVSS score	Affected products	Affected versions1	Fixes introduced in
K98334513: BIG-IP DNS TSIG key vulnerability CVE-2023-41253	5.5	BIG-IP (DNS, LTM enabled with DNS Services license)	16.1.0 - 16.1.3
15.1.0 - 15.1.8
14.1.0 - 14.1.5
13.1.0 - 13.1.5	17.1.0
16.1.4
15.1.9
K06110200: BIG-IP and BIG-IQ TACACS+ audit log vulnerability CVE-2023-43485	5.5	BIG-IP (all modules)	16.1.0 - 16.1.3
15.1.0 - 15.1.8
14.1.0 - 14.1.5
13.1.0 - 13.1.5	17.1.0
16.1.4
15.1.9
BIG-IQ Centralized Management	8.0.0 - 8.3.0	8.3.0 + Hotfix-BIG-IQ-8.3.0.0.12.118-ENG2
8.2.0.1 + Hotfix-BIG-IQ-8.2.0.1.0.13.97-ENG2
K000137106: HTTP/2 vulnerability CVE-2023-44487	5.3	BIG-IP Next (all modules)	20.0.1 - 20.0.2	20.1.0
BIG-IP Next SPK	1.5.0 - 1.8.2	None
BIG-IP (all modules)	17.1.0 - 17.1.1
16.1.0 - 16.1.4
15.1.0 - 15.1.10
14.1.0 - 14.1.5
13.1.0 - 13.1.5	17.1.1.3
16.1.4.3
15.1.10.4
NGINX Plus	R25 - R30	R30 P1
R29 P1
NGINX OSS	1.9.5 - 1.25.2	None
NGINX Ingress Controller	3.0.0 - 3.3.0
2.0.0 - 2.4.2
1.12.2 - 1.12.5	None
K20307245: BIG-IP tmsh vulnerability CVE-2023-45219	4.4	BIG-IP (all modules)	16.1.0 - 16.1.3
15.1.0 - 15.1.8
14.1.0 - 14.1.5
13.1.0 - 13.1.5	17.1.0
16.1.4
15.1.9
K47756555: BIG-IP APM Guided Configuration vulnerability CVE-2023-39447	4.4	BIG-IP (APM)	16.1.0 - 16.1.3
15.1.0 - 15.1.7	17.1.0
16.1.4
15.1.8
BIG-IP (Guided Configuration)	8.0
7.0 - 7.7
6.0	9.0
K20850144: BIG-IP and BIG-IQ DB variable vulnerability CVE-2023-41964	4.3	BIG-IP (all modules)	16.1.0 - 16.1.3
15.1.0 - 15.1.8
14.1.0 - 14.1.5
13.1.0 - 13.1.5	17.1.0
16.1.4
15.1.9
BIG-IQ Centralized Management	8.0.0 - 8.3.0	8.3.0 + Hotfix-BIG-IQ-8.3.0.0.12.118-ENG2
8.2.0.1 + Hotfix-BIG-IQ-8.2.0.1.0.13.97-ENG2

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

2F5 has fixed this issue in an engineering hotfix that is available for versions of the BIG-IQ system which have not yet reached End of Software Development. Customers affected by this issue can download the engineering hotfix from the MyF5 Downloads page. For more information, refer to K000090258: Download F5 products from MyF5. While F5 endeavors to release the most stable code possible, engineering hotfixes do not undergo the extensive QA assessment of scheduled software releases. F5 offers engineering hotfixes with no warranty or guarantee of usability. For more information about the hotfix policy, refer to K4918: Overview of the F5 critical issue hotfix policy.

Security Exposures

Article (Exposure)	Affected products	Affected versions1	Fixes introduced in

K75431121: BIG-IP APM OAuth Bearer with SSO does not process HTTP headers as expected

| BIG-IP (APM)| 16.1.0 - 16.1.3
15.1.0 - 15.1.8
14.1.0 - 14.1.5| 17.1.0
16.1.4
15.1.9

K21800102: HTTP RFC enforcement is bypassed when a redirect iRule is applied to the virtual server

| BIG-IP (all modules)| 16.1.0 - 16.1.3
15.1.0 - 15.1.8
14.1.0 - 14.1.5
13.1.0 - 13.1.5| 17.1.0
16.1.4
15.1.9

K000135944: Attack signature check security exposure

| BIG-IP (Advanced WAF/ASM)| 16.1.0 - 16.1.3
15.1.0 - 15.1.8
14.1.0 - 14.1.5
13.1.0 - 13.1.5| 17.1.0
16.1.4
15.1.9
NGINX App Protect WAF| 4.0.0 - 4.1.0
3.3.0 - 3.12.2| 4.2.0

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

CPENameOperatorVersion
big-ip apmeq13.1.0
big-ip apmeq13.1.1
big-ip apmeq13.1.3
big-ip apmeq13.1.4
big-ip apmeq13.1.5
big-ip apmeq14.1.0
big-ip apmeq14.1.2
big-ip apmeq14.1.3
big-ip apmeq14.1.4
big-ip apmeq14.1.5

Name	Operator	Version
big-ip apm	eq	13.1.0
big-ip apm	eq	13.1.1
big-ip apm	eq	13.1.3
big-ip apm	eq	13.1.4
big-ip apm	eq	13.1.5
big-ip apm	eq	14.1.0
big-ip apm	eq	14.1.2
big-ip apm	eq	14.1.3
big-ip apm	eq	14.1.4
big-ip apm	eq	14.1.5